Personal Finance

Tangerine 2-FA is Here

  • Last Updated:
  • Jul 9th, 2021 1:45 pm
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes

Tangerine 2-FA is Here

Got an email saying "Good news! As part of our commitment to keeping your money and personal information safe, we’ve launched 2‑Step Authentication. - a security feature designed with your peace of mind, in mind!"

I've been waiting for it since December. Tangerine did not provide a date for the launch. As most suspected, it's 2-FA via SMS, which is still vulnerable to sim card swaps. But it's still better than just having login/password/secret questions. Also, the email mentions that alternative 2-FA methods will come in the future...of course with no date provided!

IMO they should still have kept secret questions with the 2-FA (on an unregistered computer for example). Also, I hope Tangerine is not allowing password resets via SMS because that would be a huge vulnerability.

Still, I guess this is progress and better than nothing.
_______________
77 replies
Deal Fanatic
Jan 19, 2017
5211 posts
2939 upvotes
thelasthunter wrote: Got an email saying "Good news! As part of our commitment to keeping your money and personal information safe, we’ve launched 2‑Step Authentication. - a security feature designed with your peace of mind, in mind!"

I've been waiting for it since December. Tangerine did not provide a date for the launch. As most suspected, it's 2-FA via SMS, which is still vulnerable to sim card swaps. But it's still better than just having login/password/secret questions. Also, the email mentions that alternative 2-FA methods will come in the future...of course with no date provided!

IMO they should still have kept secret questions with the 2-FA (on an unregistered computer for example). Also, I hope Tangerine is not allowing password resets via SMS because that would be a huge vulnerability.

Still, I guess this is progress and better than nothing.
SMS only? they assume everyone has a cell phone and free to receive text. Why not email option.
Deal Fanatic
Dec 16, 2005
5734 posts
3820 upvotes
i dont' see anywhere I can enable this.
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
mech9t5 wrote: i dont' see anywhere I can enable this.
You should receive an email, if not now very soon. Also, you can see it in your Insights section when you login to your online banking.
Last edited by thelasthunter on Apr 8th, 2021 1:38 pm, edited 1 time in total.
_______________
Deal Fanatic
Jan 18, 2003
5901 posts
1678 upvotes
Mississauga
Kiraly wrote: Oh good lord, PLEASE let this not be every goddamn time you log in.
I'm just glad the app is finally fast to login... use to be the slowest app ever
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
Kiraly wrote: Oh good lord, PLEASE let this not be every goddamn time you log in.
You can register your computer so it won't be a requirement the next time you login via that computer. However, that has its vulnerabilities too, say if someone were to hack into your PC remotely or even physically at home. For me, it's an extra 5 seconds, so no big deal.
_______________
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
ml88888888 wrote: SMS only? they assume everyone has a cell phone and free to receive text. Why not email option.
Yes, it requires cell and text messaging, but at least you don't need a smartphone. The email option 2-FA is historically less secure than even SMS so that wouldn't be great imo. You don't have to enable the Tangerine 2-FA if you don't want to.
It's clear that Tangerine is heading towards Google Authenticator type 2-FA, which a LOT better than SMS, but we don't know when. The bar for banks in Canada is so low it's sad. My Gmail, Yahoo and all my Crypto accounts already use Yubikey for some time, which is the gold standard. But this is better than nothing.
_______________
Deal Guru
User avatar
Jan 9, 2011
11599 posts
14388 upvotes
Vancouver
I would be much happier if Tangerine, instead of implementing 2FA, would let us choose login passwords that are not limited to 4 or 6 DIGITS. I am of the opinion that the minimal security gained by SMS authentication is not worth the hassle of doing it every time. Letting us pick some actually secure passwords will do a lot more for security with a lot less hassle.
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
Kiraly wrote: I would be much happier if Tangerine, instead of implementing this, would let us choose login passwords that are not limited to 4 or 6 DIGITS.
Why not both? Even the most complicated passwords are useless if someone hacks into your password manager
_______________
Deal Guru
User avatar
Jan 9, 2011
11599 posts
14388 upvotes
Vancouver
thelasthunter wrote: Why not both? Even the most complicated passwords are useless if someone hacks into your password manager
And 2FA is useless if someone steals your phone number, which really isn't all that hard for hackers to do. I really believe that SMS 2FA really isn't as secure as many people make it out to be, and certainly not secure enough for me to have to put up with it every time I log in. I won't be enabling it with Tangerine just like I haven't turned it on with any other service. Now if the CRA would get rid of this requirement for me to do it EVERY TIME I log in, it would make my day. I'm fine to do it once for every new device I use to log in, but EVERY TIME? Nope.
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
Kiraly wrote: And 2FA is useless if someone steals your phone number, which really isn't all that hard for hackers to do. I really believe that SMS 2FA really isn't as secure as many people make it out to be, and certainly not secure enough for me to have to put up with it every time I log in. I won't be enabling it with Tangerine just like I haven't turned it on with any other service. Now if the CRA would get rid of this requirement for me to do it EVERY TIME I log in, it would make my day.
You are not required to use 2-FA every time you login. You can select the option of only unregistered computers being required to do so.

Of course, you're right in saying that SMS 2-FA is not very secure. It essentially downloads our banking security to the telco providers, and they are clearly not in the banking business nor have that level of security infrastructre (although with pathetic Canadian banks, that's debatable). However, it's still widely considered better than just login/pass. The login for Tangerine is the bank card number, which is exceptionally unsecure imo. In a lot of cases that is the visa debit card number that many people will shop with online or use in stores.
_______________
Deal Expert
Jan 17, 2009
19452 posts
28233 upvotes
ONTARIO
Disappointed that it's SMS only.
I would prefer the authenticator app method that has rolling codes every 20 seconds or whatever it is.
Deal Fanatic
Dec 16, 2005
5734 posts
3820 upvotes
thelasthunter wrote: You are not required to use 2-FA every time you login. You can select the option of only unregistered computers being required to do so.

Of course, you're right in saying that SMS 2-FA is not very secure. It essentially downloads our banking security to the telco providers, and they are clearly not in the banking business nor have that level of security infrastructre (although with pathetic Canadian banks, that's debatable). However, it's still widely considered better than just login/pass. The login for Tangerine is the bank card number, which is exceptionally unsecure imo. In a lot of cases that is the visa debit card number that many people will shop with online or use in stores.
I would agree that SMS 2FA is better than not having any 2FA but it depends on how they implement the password reset. Previous implementations of SMS 2FA with other organizations have allowed users to reset the password by confirming via SMS alone. That is super insecure and if that's how it is implemented, I would not turn it on either. I'm guessing these companies have learned their lesson.
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
My only big problem with this Tangerine move is that they got rid of security questions in favour of SMS-2FA (i.e., no security questions if you enable 2-FA).

Security questions add another layer of safety that can be very useful against even sophisticated hackers who often don't have all the pieces of the puzzle. They should have kept them in place (on unregistered devices) especially since SMS-2FA is not ideal.
_______________
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
mech9t5 wrote: I would agree that SMS 2FA is better than not having any 2FA but it depends on how they implement the password reset. Previous implementations of SMS 2FA with other organizations have allowed users to reset the password by confirming via SMS alone. That is super insecure and if that's how it is implemented, I would not turn it on either. I'm guessing these companies have learned their lesson.
Yup, I agree, that is a huge loophole in some SMS-2FA. Even if hackers swapped my sim card, they'd still need my login/pass to breach the account. With the SMS pass reset that barrier disappears. One of the reasons I created this thread is to find out if this is the case with Tangerine. If it is, I would disable the SMS 2-FA.

Right now, as far as I can tell, they don't allow SMS pass resets. When I click on "forgot my pin" I am asked to put in my SIN, birth date and answer security questions. I wonder if the SMS reset follows those.
_______________
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
thelasthunter wrote: Yup, I agree, that is a huge loophole in some SMS-2FA. Even if hackers swapped my sim card, they'd still need my login/pass to breach the account. With the SMS pass reset that barrier disappears. One of the reasons I created this thread is to find out if this is the case with Tangerine. If it is, I would disable the SMS 2-FA.

Right now, as far as I can tell, they don't allow SMS pass resets. When I click on "forgot my pin" I am asked to put in my SIN, birth date and answer security questions. I wonder if the SMS reset follows those.

Yup, just tried and confirmed. No SMS-pin resets allowed. Thank god!

Having said that - all one needs is SIN, birthday, and answering a single security question - together with the bank card number to reset pin and get in. Still feels a bit thin.
_______________
Deal Addict
Feb 4, 2019
2077 posts
3267 upvotes
BC
On a related note, with CIBC you can now set up to receive the 2FA code in the CIBC mobile app.
[OP]
Deal Addict
Nov 21, 2017
3115 posts
3480 upvotes
rhw123 wrote: On a related note, with CIBC you can now set up to receive the 2FA code in the CIBC mobile app.
Nice. That's like Google Authenticator. Is this a first for a Canadian bank?

On a related note, what happens when someone gets hold of your phone and bypasses the main screen pass/fingerprint? Potentially screwed?
_______________
Deal Addict
Mar 10, 2010
1460 posts
434 upvotes
thelasthunter wrote: You are not required to use 2-FA every time you login. You can select the option of only unregistered computers being required to do so.

Of course, you're right in saying that SMS 2-FA is not very secure. It essentially downloads our banking security to the telco providers, and they are clearly not in the banking business nor have that level of security infrastructre (although with pathetic Canadian banks, that's debatable). However, it's still widely considered better than just login/pass. The login for Tangerine is the bank card number, which is exceptionally unsecure imo. In a lot of cases that is the visa debit card number that many people will shop with online or use in stores.
But if you clear cookies every time you close your browser (a normal procedure if you're security conscious) then it's impossible to register a computer since the "registration" process is simply setting a cookie.

Top